Ya­hoo says 500 mil­lion ac­counts hacked

Calif. firm urges users to change their pass­words

SAN FRAN­CISCO — Com­puter hack­ers swiped per­sonal in­for­ma­tion from at least 500 mil­lion Ya­hoo ac­counts in what is be­lieved to be the big­gest dig­i­tal break-in at an email provider.

The mas­sive se­cu­rity break­down dis­closed Thurs­day poses new headaches for Ya­hoo CEO Marissa Mayer as she scram­bles to close a $4.8 bil­lion sale to Ver­i­zon Com­mu­ni­ca­tion.

The breach Thurs­day dates to late 2014, rais­ing ques­tions about the checks and bal­ances within Ya­hoo — a fallen in­ter­net star that has been lay­ing off staff to counter a steep drop in rev­enue dur­ing the past eight years.

At the time of the break- Ya­hoo said the stolen data — dat­ing to late 2014 — in­clude users’ names, email, tele­phone num­bers, birth dates, scram­bled pass­words and se­cu­rity ques­tions and an­swers. in, Ya­hoo’s se­cu­rity team was led by Alex Sta­mos, a re­spected in­dus­try ex­ec­u­tive who left last year to take a sim­i­lar job at Face­book.

Ya­hoo didn’t ex­plain what took so long to un­cover a breach that it blamed on a “state-spon- sored ac­tor” — par­lance for a hacker work­ing on be­half of a for­eign gov­ern­ment. The Sun­ny­vale, Calif., com­pany de­clined to ex­plain how it reached its con­clu­sions about the at­tack, but said it is work­ing with the FBI and other law en­force- ment as part of its on­go­ing in­ves­ti­ga­tion.

“This is a pretty big deal that is prob­a­bly go­ing to cost them tens of mil­lions of dol­lars,” pre­dicted Avivah Litan, a com­puter se­cu­rity an­a­lyst for Gartner Inc. “Reg­u­la­tors and lawyers are go­ing to have a field day with this one.”

Litan de­scribed it as the most ac­counts ever stolen from a sin­gle email provider.

Last month, the tech site Mother­board re­ported that a hacker who uses the name “Peace” boasted that he had ac­count in­for­ma­tion be­long­ing to 200 mil­lion Ya­hoo users and was try­ing to sell the data on the web.

Ya­hoo is urg­ing that users change their pass­words if they haven’t done so since 2014. The com­pany said the at­tacker didn’t get any in­for­ma­tion about its users’ bank ac­counts or credit and debit cards.

News of the breach may cause some peo­ple to re­think re­ly­ing on Ya­hoo’s ser­vices, rais­ing a prickly is­sue for the com­pany as it tries to sell its dig­i­tal oper­a­tions to Ver­i­zon.

That deal, an­nounced two months ago, isn’t sup­posed to close un­til early next year. That leaves Ver­i­zon with wig­gle room to rene­go­ti­ate the pur­chase price or even back out if it be­lieves the se­cu­rity breach will harm Ya­hoo’s busi­ness. That could hap­pen if users shun Ya­hoo or file law­suits be­cause they’re in­censed by the theft of their per­sonal in­for­ma­tion.

Ver­i­zon said it still doesn’t know enough about the Ya­hoo break-in to as­sess the po­ten­tial con­se­quences.

“We will eval­u­ate as the in­ves­ti­ga­tion con­tin­ues through the lens of over­all Ver­i­zon in­ter­ests, in­clud­ing con­sumers, cus­tomers, share­hold­ers and re­lated com­mu­ni­ties,” the com­pany said.

In­vestors ev­i­dently aren’t ner­vous about the Ver­i­zon deal un­rav­el­ing yet. Ya­hoo’s stock added a penny Thurs­day to close at $44.17.